Critical Apache ActiveMQ Vulnerability CVE-2026-34197 Under Active Exploitation
A significant security flaw in Apache ActiveMQ Classic, identified as CVE-2026-34197 with a CVSS score of 8.8, has been actively exploited, prompting the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to include it in its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) agencies are mandated to implement the necessary patches by April 30, 2026.
This vulnerability arises from improper input validation, leading to potential code injection. Attackers can exploit this flaw by leveraging ActiveMQ’s Jolokia API to execute arbitrary operating system commands. Notably, this issue has been present for 13 years, as highlighted by Horizon3.ai’s Naveen Sunkavally.
The exploitation process involves invoking management operations through the Jolokia API, tricking the broker into fetching a remote configuration file and executing arbitrary OS commands. While the vulnerability requires credentials, default credentials (admin:admin) are prevalent in many environments. In versions 6.0.0 to 6.1.1, another vulnerability (CVE-2024-32114) exposes the Jolokia API without authentication, making CVE-2026-34197 effectively an unauthenticated remote code execution (RCE) in these versions.
The affected versions include:
– Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) before 5.19.4
– Apache ActiveMQ Broker (org.apache.activemq:activemq-broker) 6.0.0 before 6.2.3
– Apache ActiveMQ (org.apache.activemq:activemq-all) before 5.19.4
– Apache ActiveMQ (org.apache.activemq:activemq-all) 6.0.0 before 6.2.3
Users are strongly advised to upgrade to version 5.19.4 or 6.2.3 to mitigate this issue. Although specific details on the exploitation methods are currently unavailable, reports indicate that threat actors are actively targeting exposed Jolokia management endpoints in Apache ActiveMQ Classic deployments.
Telemetry data from Fortinet FortiGuard Labs has recorded numerous exploitation attempts, with activity peaking on April 14, 2026. This trend underscores the accelerating pace at which attackers exploit newly disclosed vulnerabilities, often breaching systems before patches are applied.
Apache ActiveMQ has been a frequent target for attacks. Since 2021, vulnerabilities in this open-source message broker have been exploited in various malware campaigns. In August 2025, a critical vulnerability (CVE-2023-46604) was used to deploy a Linux malware named DripDropper.
Given ActiveMQ’s integral role in enterprise messaging and data pipelines, exposed management interfaces pose significant risks, including data exfiltration, service disruption, and lateral movement within networks. Organizations should:
– Audit all deployments for externally accessible Jolokia endpoints.
– Restrict access to trusted networks.
– Enforce strong authentication measures.
– Disable Jolokia where it is not required.
By taking these steps, organizations can enhance their security posture and mitigate potential threats associated with this vulnerability.
